CHANNEL BY TOPICS

QUICK LINKS

NIST Vetting Guide Helps in Testing Mobile Apps to Learn What They Really Do

(M2 PressWIRE Via Acquire Media NewsEdge) While many mobile device apps such as a calendar or collaboration tools are very handy and can improve productivity, they can also introduce vulnerabilities that can put sensitive data and network resources at risk. The National Institute for Standards and Technology (NIST) is preparing recommendations for organizations to help them leverage the benefits of mobile apps while managing their risks. The authors are asking for public comments on a draft of Technical Considerations for Vetting 3rd Party Mobile Applications* by September 18, 2014.

The draft publication "describes tests that allow software security analysts to discover and understand vulnerabilities and behaviors before the app is approved for use," says NIST computer scientist Tom Karygiannis.

"Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks," explains Karygiannis. Many apps may access more data than expected and mobile devices have many physical data sensors continuously gathering and sharing information.

For example, when an employee shares a photograph through a mobile application, the mobile app may be granted access to the employee's contact list that may hold personally identifiable information that should remain private. Or individuals might be tracked without their knowledge by way of a calendar app, social media app, Wi-Fi sensor, or other utilities that access a global positioning system (GPS).

"Apps with malware can even make a phone call recording and forward conversations without its owner knowing it," Karygiannis says. Not all issues are as sinister. Certain poorly designed apps may drain batteries rapidly and may not meet the requirements of people working in the field without access to a power source. Employees should weigh any productivity gains offered by a mobile app, with the potential security and privacy risks they introduce.

Technical Considerations for Vetting 3rd Party Mobile Applications is not a step-by-step guide. It highlights the tests that should be considered when vetting a mobile app before it is approved for use. Each organization needs to consider the environment in which the app is employed, organization-specific security requirements, the context in which it will be used and the underlying security technologies supporting the use of mobile apps. For example, an organization may approve the use of a social media app for their public affairs office in order to meet its mission, but other staff members may need to restrict the permissions an app is granted, encrypt sensitive data, or change other configurations on the mobile device.

In an appendix, the authors identify and define the types of vulnerabilities specific to applications running on devices using Android and iOS operating systems.

Contact: Evelyn Brown
301-975-5661301-975-5661
The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype
.